Danny: That would certainly be a good idea (thanks! - I didn't know about this..) if we were storing user password info. But what i need is a place to store password info for the servlet/pool to *connect* to the database... Any more ideas are certainly welcome!
Thanks again! Geeta Danny Rubis wrote: > Hey! > > If you are using IBM DB2 you can use their 'encryption' datatype. > > Sans adieu, > Danny > > Geeta Ramani wrote: > > > Thank you, Matt, for your prompt response. We do have our own server, use SSL, > > protect our directories, and the database I believe is further protected from the > > evil world by firewalls and gateways and views and what not. But your advice seems > > to be to do everything we can - I'll follow it and look into encryption/decryption > > algorithms then: thanks very much! > > Geeta > > > > Matt Penner wrote: > > > > > If saving your passwords (or really any sensitive information) in any kind of a > > > system whether it is a flat file (txt, XML, etc) or a database there is no sure > > > way of keeping this safe. So use as many measures as you can without > > > comprimising usability. This way if the OS gets comprimised and the file is > > > availabe they wont be able to readily read your information. Especially > > > necessary if you're not hosting your own server. The admins aren't supposed to > > > look in your files but you can't be too trusting and you're relying on their > > > ability to keep the system secure. > > > > > > The basic idea I have seen is that you use whatever security the OS/Database > > > can give you (like you have) as well as an encryption scheme when saving the > > > data. > > > > > > This can be simply your own function which can encrypt / decrypt what you store > > > or retrieve from the XML file, or you can go as in depth as you want and use > > > some major encryption schemes. > > > > > > Hope this helps, > > > Matt > > > > > > Quoting Geeta Ramani <[EMAIL PROTECTED]>: > > > > > > > Hi all: > > > > > > > > The subject says it all: currently I am storing information that my > > > > connection pool uses like database URL, username and password in the > > > > web.xml > > > > as init-params. I thought that if I secured WEB-INF with go-rwx, this > > > > is > > > > secure. But in a recent code-review this has been brought into > > > > question. > > > > So here are my questions: > > > > > > > > 1. Am I deluding myself that this is safe? > > > > 2. If so, is there some way that any of you has solved the problem? > > > > > > > > I looked in the archives, but all the dicussion with passwords seems > > > > to > > > > be around the issue of encryting un/pw pairs entered in a browser, for > > > > which, of course, SSL and one way encryption can be used. I mention > > > > this > > > > so my question is not misunderstood. > > > > > > > > Thanks very much! > > > > Geeta > > > > > > > > ___________________________________________________________________________ > > > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > > > > body > > > > of the message "signoff SERVLET-INTEREST". > > > > > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > > > Resources: > > > > http://java.sun.com/products/servlet/external-resources.html > > > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > > > > > > > > > ___________________________________________________________________________ > > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > > > of the message "signoff SERVLET-INTEREST". > > > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > > Resources: http://java.sun.com/products/servlet/external-resources.html > > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > > > ___________________________________________________________________________ > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > > of the message "signoff SERVLET-INTEREST". > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > Resources: http://java.sun.com/products/servlet/external-resources.html > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
